PHP-FPM Flaw Puts nginx Servers At Risk for Remote Code Execution Attacks (CVE-2019-11043)

A GitHub repository containing proof of concept (PoC) code for a recently disclosed vulnerability in PHP-FPM, the FastCGI Process Manager (FPM) for PHP has been released. The security researchers who discovered the flaw reported the issue on the PHP bug-tracker in September 2019. The vulnerability, identified as CVE-2019-11043, is an env_path_info underflow flaw in PHP-FPM’s fpm_main.c. 

The flaw is exploitable on web servers running nginx under certain configurations with a set of preconditions being required. The configurations and preconditions are not uncommon, as it was recently discovered that Nextcloud, the open-source file hosting software, originally recommended the vulnerable nginx configuration in their installation documentation.

For more details about the flaw, including the preconditions required as well as patch availability, please visit our blog.